When it comes to third-party risk management, DORA highlights three areas:

1. Companies must have a defined policy and strategy for managing third-party risks, communicated through the organization in an actionable plan.
2. An increased understanding of risk-level introduced by third parties. When making any contractual agreements, always perform a due diligence.
3. Know the potential impact of risks. An understanding of the mapping between the contractual service requirements and the business services supported by the providers, will allow for a successful business continuity planning.

Many of the requirements mapped out in DORA are things that we believe every organisation should consider if they want to ensure the security of their business and their customers. Third party risk management is one of those requirements and tend to often be neglected, even though it has played a vital role in many of the recent big cyber events such as the Kaseya attack in 2021, resulting in the temporary disruption of hundreds of Coop-stores in Sweden.

So how do you manage third party risk?

Doing a cybersecurity due diligence when acquiring a new service might be crucial. When investing in a new service, it is important to make sure that it not only meets the functional requirements, but also the security requirements. If not, every new service will bring additional security risks and one of them could eventually lead to a disaster. It is therefore important to be thorough when acquiring a new service.

But – the risk doesn’t stop after procurement. As stated in DORA, if you want to minimize the risk and maintain a good risk posture you must keep monitoring the services for new vulnerabilities. There will always be new vulnerabilities and the key is to detect them in time. The sooner you detect and patch, the more you reduce the risk of a potentially serious incident. Monitoring third-party risk is an essential part of any organization´s security.